hxxp://photo[.]isu[.]pub/default_user/photo_large[.]png

Analysis

max time kernel
120s
max time network
101s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/10/2024, 11:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://photo.isu.pub/default_user/photo_large.png

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732924262389416"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe
Token: SeShutdownPrivilege	3812	chrome.exe
Token: SeCreatePagefilePrivilege	3812	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 4140	3812	chrome.exe	77
PID 3812 wrote to memory of 4140	3812	chrome.exe	77
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 2368	3812	chrome.exe	78
PID 3812 wrote to memory of 1784	3812	chrome.exe	79
PID 3812 wrote to memory of 1784	3812	chrome.exe	79
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80
PID 3812 wrote to memory of 3084	3812	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://photo.isu.pub/default_user/photo_large.png
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff95b2cc40,0x7fff95b2cc4c,0x7fff95b2cc58
  2⤵
  PID:4140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1832,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:2368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3020,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3008,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4676,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:1104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=212,i,14143561743067684402,2816372933026629896,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=740 /prefetch:8
  2⤵
  PID:3800

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9a261149cad15124a18273b61fffead0

SHA1
243234193e4f78aaee6f1c27663950d49afdaa2c

SHA256
ecdf41214baf260d93316a868f1aca0db9bab408c2adf3ce52cf6ea8d7caba42

SHA512
d58abba8fa07eb1e61a84a6fd68eca89c1bd37c265f199f94c45d40e4b4ee163add7d12e3fed0d42fe26c4825b964109f362dfa86f3a0b13b60041e11e7a2894

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4204173a6deb2cbec4ec3e18296d13bf

SHA1
f976bdc48ef364bc49145047706f869bf0919169

SHA256
b06880784eba211806583f5cadfa2e68b9d5e2437d85b350e1dba647639f0039

SHA512
c56e59aaa379e4784600abe0ee538078dac4f388a3b342de10248771dc98f0ba864da02f6ded6decc3fccfe8df87db4104f055b25d403373c9f220dd8e629a0c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
55dab77149c21ee903eb539e9ef73bfe

SHA1
857f18ab7809412084b6f039151178097f728a55

SHA256
8c13b83d786f1089a13d3bb3d8114eaf8e4a2327f2b0c91c79376e97427992e0

SHA512
5d38a730d95734fe3a4adde25f3dc0230a610e8b3ffdc28f2bfbb2fa306526363098edf5bc5042dc279f2820adc5e3ee98b6d34b99e3769c8c8b85ffeb13a5b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b80bcee5b9df5d94e0291777fc8fe2e

SHA1
61a2d3ac1b2ad29346929abfe2d7fd22149eb66e

SHA256
c20187d1443da99f3c65c81ea87b02ae552ed863dcee516a4bf09f0ab7aebf05

SHA512
6b5e9badee57dd0c984ad007371c29014523692a9bffe954f49bf7222802de0d1ff919afbddb6928e95adebcb2ce22f8ba51f1163cc266620d480ea24267920a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e584f2e7c87da181314ddc8a80284926

SHA1
9c57f2afc257dceff1c5ed813f5105b21a41e394

SHA256
87568302353af7255876bd93af9bb6757fb0b4cc3c660db4a84da5164df85dea

SHA512
86c64e3bed068ce245cccf7f4986438ad5a47c52b3a4937f83eb30b0a7a824defc9a85b10a3f968f457c1982d780584dc05c06e97e94dd4fccfd8fbe6d95c2c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0a446039b4fab95e4f51317332d57405

SHA1
ce30f85c109429183aedb3418c92693f4412c9f1

SHA256
34af6e748f195246d3162a3a2883db1fbf357e35e31696ebfed578d59da92588

SHA512
c57e5ed75614953ef924a937d2b64a78572a998fc45b0ea842c3cafc090a6240c92be42dc90e32f1ae55313ab85953ab10787a3971df9644300e1208b0a2b81b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
b987ee4fdc2cc8632e2fc681f9cd9652

SHA1
7092b549540e4c263f41f676695a1eda117d6c3a

SHA256
65e29fcefd3edfc15aeb09abd2237ffd5808b6a45fe5a14fe2478af5dd5f19d2

SHA512
ae8a8f8884e0787d4e7d2f17f556f93827f7d5d781c4a44b47b6a5103f4b72dcf3ab5418871194d5de85b55dd53821a00961c9221ac20563fbd48216c37d8a6b

Download Submit